Build a Secure FTP Dropbox with vsftpd

Best of ENP: Secure FTP, Part 1: Providing secure services for your users is a tough balancing act between best practice and ease of use. With vsftpd, you can set up a hardened ftp server quickly and easily. And come back next week for tips on handling the client side.

FTP (define) servers are wonderful things. They are quick to set up and endlessly useful. It's a quick and easy way for users to share files. Businesses that depend on large file transfers, such as printers and design houses, should use FTP. You can set up an upload directory for customers in the hopes of training them to transfer huge files via FTP, instead of attached to email. And believe it or not, this is usually successful. The key to getting reluctant users to use FTP is to help them set up their FTP clients so that they can transfer files with just a few mouse clicks. (Y'all be sure to come next week for a detailed look at FTP clients.)

The tricky part about running an FTP server is keeping it secure. FTP is an insecure protocol -- all traffic is sent in cleartext. So don't use it for sensitive documents.

Of greater concern to hardworking sysadmins is the possibility of an attacker exploiting FTP server weaknesses to gain control of the entire system. For example WU-FTPD, one of the most popular FTP servers, has a long history of being compromised. And WU-FTPD is not alone -- all FTP servers have experienced security troubles at one time or another.

vsftpd

Enter vsftpd, "very secure ftpd," which was built from the ground up to be secure. vsftpd bills itself as "Probably the most secure and fastest FTP server for UNIX-like systems." It's certainly the most confident. vsftpd boasts a stellar list of users: Red Hat, SuSE, Debian, Gnome, Kernel.org, and many other F/OSS (free/open source) luminaries run their public FTP repositories with vsftpd.

Installation

Source tarball, RPM, apt-get, Yum, whatever -- you know the drill. Even if you install it from a package, be sure to visit the online source tree to read example configurations and all the READMEs. Then start it up to test that it installed correctly:

You must use "anonymous" as the login name, but anything will work for the password- just hit the return key or type random gibberish. The usual convention is to use an email address. If you run the ls command, you'll see there are no files yet. Because you must put them there. The default ftp directory is /home/ftp. Go ahead, put some files in there, then run ls to see them.

Test Drive

Just for fun, copy some files into your nice new vsftpd server by grabbing some random files and plunking them down in /home/ftp. Then log in, display a directory listing, and download a file:

Creating An Upload Directory

Suppose you want your customers to FTP large files to you instead of gumming up your mail server with gigantic attachments. You probably don't want these files to be publicly accessible, and you really don't want to hassle with setting up special directories for every customer. No problem, there is a simple way to manage this.

First create a special upload directory. Mode 2733 allows write access only, and sets group ownership on all uploaded files to "nogroup." So users can upload files, but they cannot download files, or even see a directory listing:

# mkdir -m 2733 /home/ftp/upload

Then uncomment these lines in /etc/vsftpd.conf:

write_enable=YES
anon_upload_enable=YES

Restart vsftpd with /etc/init.d/vsftpd restart, then try it for yourself- you can put a file, but not get a file. Now all kinds of strange people can upload files to you, but only you can retrieve and read them. And even though you enabled write access, no one can FTP files to your root directory, because the download directory permissions are read-only. So you now have a download-only directory, and an upload-only directory. For the sake of tidiness and sensible organization, it's good to also create a downloads subdirectory, rather than using the root directory.

Refinements

Usually a site like this is low-risk -- it's not likely that l33t hax0rs or other Internet vermin will find it and do mischief, because you're not advertising it to the world. But vsftpd comes with some simple access controls which can come in handy. The secure_email_list_enable=YES directive lets you set up a list of email passwords. The login is still "anonymous," but allowed users must enter their email address for the password. The default password file is /etc/vsftpd.email_passwords. List one password per line with no whitespaces.

Conversely, use the deny_email_enable=YES directive to deny access to certain email passwords. The default banned password file is /etc/vsftpd.banned_emails.

dirmessage_enable=YES looks for a .message file in each directory. This lets you greet users with a custom message, which is useful for giving instructions, warnings, lessons in philosophy, your latest spam haiku, whatever you like.

The ftpd_banner=[text] directive lets you write a custom banner, which is displayed at login. The default banner is the boring "(vsFTPd 2.0.1)." To get really fancy and display elaborate ASCII art, create a file containing all of your creativity and call it using the banner_file=[filename] directive.

Next week we'll take a detailed look at Linux and Windows FTP clients, and how to configure them for convenience and security.